Notices by Soatok Dreamseeker (soatok@furry.engineer)

I had some referrers show up to my blog in the past few days that I consider quite gross. Most fedi instances agree and defederate with them. You probably know the ones.

Anyway, I wanted to add a polite "you are not welcome here" in the client-side JS, but I didn't want to drop a list of domain names in case they think it's "advertising" for their gross content.

So I decided to write a script that:

1. Generate a random key.
2. Shuffle the list of domain names, using a CSPRNG.
3. Store a truncated HMAC-SHA256 of the domain name with the ephemeral key.
4. Generate a JSON containing the random key and truncated HMAC tags.

Then I dump this JSON into my WordPress site. If the domain hashes to the same truncated tag, it overwrites the body tag.

https://gist.github.com/soatok/2929e319fa65752c67dbf18d5d38b657

You didn't need another reason to hate Meta (which owns Facebook and Instagram), but here ya go anyway:

https://www.thepinknews.com/2025/08/14/meta-robby-starbuck-ai/

Every Fedi instance that preemptively blocked Threads is good and should feel good.

@GreenSkyOverMe There is a distinct difference between an addiction and a compulsive behavior. Confusing the two does a great disservice to the public.

I'm tired of moronic anecdotes being offered in the replies when I cite the actual scientific consensus that sex addiction isn't a real thing. (Neither is porn addiction.)

I frankly don't care if your lived experience with sex/porn involved a prolongued unhealthy relationship. That doesn't make your compulsions a clinical fucking addiction.

If you want to try to argue scientific consensus with me, save me the trouble and just block me instead.

@SuperDicq I would need to review GNU Taler before I recommend it.

@SuperDicq Yeah I'm loosely familiar with it, but "blind signatures" is a hobby horse for some of my friends in the cryptography space, and other GNU cryptography implementations have been awful so I'm wary.

https://soatok.blog/2020/07/08/gnu-a-heuristic-for-bad-cryptography/

Against the Censorship of Adult Content By Payment Processors

This is a furry blog, where I write about whatever interests me and sign it with my fursona's name. I sometimes talk about furry fandom topics, but I sometimes also talk about applied cryptography. If you got a mild bit of emotional whiplash from that sentence, the best list of posts to start reading to get a feel for my usual fare is…

http://soatok.blog/2025/07/24/against-the-censorship-of-adult-content-by-payment-processors/

Y'know those hug consent badges?

They should make them for "does [not] know how to flirt" and "can [not] recognize flirting"

The secret to getting good at writing is being very weird but also caring a lot about other people being able to understand what you're saying.

You gotta be in touch with your own weirdness first. Then you gotta be able to make it relatable to the audience.

This is especially true for technical writing. You need to figure out what your audience already knows or believes, and tie whatever you're explaining to that.

So, like, you can explain Diffie-Hellman mathematics with paint-mixing and "secret colors", right? There are videos that do that. Except instead of colors, it's large numbers.

And it's not a perfect analogy, but it's serviceable.

The thing is, you don't get good at writing by scoring higher on some imaginery hierarchy. It isn't "who's the smartest nerd?" Winning nerd trivia isn't essential.

You fucking need empahty.

You have to care about the reader. Or, at the very least, about the time they're investing in your words.

But if you say it like that, people assume you're talking about fiction.

I've noticed that the respect for one's time can roughly be ordered as such:

1. Queer Fediverse (furries are here)
2. Private messaging
3. Bluesky (on average)
4. Old Twitter (before 2023)
5. Tech Mastodon
6. Unsolicited phone calls

This is a rough heuristic from my personal experience.

Me: "Where ciphertext is stored shouldn't matter if your encryption is actually adequate."

Dozens of people: Complain about endpoint attacks.

Me: "OK, fine, I'll edit the blog post and tediously specify that it's the jurisdiction of where ciphertext is stored until the non sequitur ceases."

https://opossum-attack.com/

Document contains a :3

Jurisdiction Is Nearly Irrelevant to the Security of Encrypted Messaging Apps

Every time I lightly touch on this point, I always get someone who insists on arguing with me about it, so I thought it would be worth making a dedicated, singular-focused blog post about this topic without worrying too much about tertiary matters. Here's the TL;DR: If you actually built your cryptography properly, you shouldn't give a shit which country hosts the ciphertext for your…

http://soatok.blog/2025/07/09/jurisdiction-is-nearly-irrelevant-to-the-security-of-encrypted-messaging-apps/

The society we live in doesn't reward ethical behavior or critical thinking skills. It abhors creativity and free thought. The loudest "free speech" evangelists are quick to cozy up to fascists. The "right to bear arms" folks form militias to enact tyranny on defenseless people. It demonizes anyone that doesn't fit the mold and accuses them of heinous acts, often without any evidence.

And some people think I'm supposed to give half a shit about being perceived as "one of the good ones".

Sorry if you followed me expecting only technical posts, and not my ceaseless furry nonsense or dhole appreciation.

You have my condholences.

Everybody shut up and look at this dhole

https://bsky.app/profile/dholeposting.bsky.social/post/3lryegqytn22p

If you don't know how awesome dholes are, allow me to introduce you to some Dhole Facts.

Dholes hunt by using high-pitch whistles to coordinate their strikes across long distances.

Dholes form conmunal packs of up to 40 members to cooperate together.

Dholes have been known to pee while doing a handstand.

I genuinely do not understand people who have deep fried opinions about Signal needing a goddamn phone number in 2025.

Many privacy nerds were outraged when you needed to give out a phone number to other people in order to talk with them. I was one of those nerds. They fixed that with the usernames rollout.

As a mobile phone app, Signal uses your phone number to bootstrap your enrollment into the protocol. This is literally the path of least resistance as an SMS replacement app, for most users.

If you want to know whether Signal can obtain enough metadata to target users that have enrolled, the answer is complicated.

The way profiles are encrypted, and how sealed sender works, makes any targeting seem infeasible. (Your profile key rotates, at mininum, when you block someone.)

Signal currently does not have IP addresses, etc. stored. If this changes in the future, it will not be retroactive. If you're worried about that, Molly boasts Tor support. Maybe that's fine. I haven't audited Molly, and won't.

The people who tut-tut over the phone number requirement never articulate anything resembling a coherent threat model.

They also are quick to recommend alternatives with inferior cryptography.

Some days I just want to grab them by the shoulders and scream "SHUT THE FUCK UP YOU ARE HURTING PEOPLE" directly into their ears.